Sensitive information Using Logs Cause Leak of Users personal details , Password, token.

Hello everyone Greeting All ! Today In this blog We are going to See How Android applications are vulnerable Which cause Impact User & cause of leak data which leaking through log file .

If Your doing penetration Testing against Your targeted Android application Inspecting adb logs often provides us a great deal of information which impact users of Your Application  .

What is Android log?

Every application use logs .Mobile application  developers use  Log class to log debugging information in to the device logs that interacting . These logs are accessible to any other application with READ_LOGS On Vulnerable Application Due to developer Mistake . If Your using prior to the Android 4.1 version  android:minSdkVersion=”14” which is vulnerable.

This an attacker can take advantage of if attacker has physical access attacker easily use LOGCAT and capture all logs details and steal user  data such as bank details, user name, password, APi , CSRF Token etc.

What is logcat?

Logcat is a CLI tool that dumps a log of system messages, including stack traces when the device cause an error and messages , data that you Interact & written from your app with the Log class. That Logcat easily capture all trace stack against Your targeted website This tool helpful for Developer & Penetration tester .

WORK FLOW:
  1. We have Vulnerable Android application which is vulnerable which leaking user sensitive information In logs , Application has Login Interaction

Now use adb to Access android shell In order to access adb shell we will  use command:

  • Adb shell
  • 2. Now As User Login With Your Credentials And run command:-
  • Logcat | grep “application name ”

Above command will capture all Upcoming logs according to our given apk .

Now to capture user password User email Accordingly You can use regex

  • Logcat | grep “password”
How To Mitigate Against Risk:
  • Make sure Your using Android more then 4.1 and only system apps can access the device logs.
  • Add the following code into the ProGuard config file which mitigate against risk .
-assumenosideeffects class android.util.Log{*;}

References : https://androidpedia.net/en/tutorial/1552/logging-and-using-logcat

Thanks For Reading……. See You In Another Blog!

Stick With Our Blog : https://securiumsolutions.com/blog/

Author : Pallab Jyoti Borah | VAPT Analyst

Leave a Comment

Your email address will not be published. Required fields are marked *